Terminal Deception: Inside CVE-2025-67746 in Composer
Jan 1, 2026·5 min read·8 visits
Executive Summary (TL;DR)
Composer, the ubiquitous PHP dependency manager, was failing to sanitize remote package metadata before printing it to the console. This allowed attackers to inject ANSI escape sequences into package names or descriptions. While the CVSS score is a measly 1.3, the practical implication is that a malicious package could rewrite your terminal history, hide critical security warnings during a `composer audit`, or even crash your terminal emulator. The fix involves a hefty regex to strip control characters.
A deep dive into how ANSI sequence injection allows malicious PHP packages to manipulate your terminal output, hiding warnings and spoofing success messages.
Fix Analysis (2)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:NAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Composer Composer | >= 2.0.0, < 2.2.26 | 2.2.26 |
Composer Composer | >= 2.3.0, < 2.9.3 | 2.9.3 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-74 |
| Attack Vector | Network (Package Metadata) |
| CVSS Score | 1.3 (Low) |
| Impact | Integrity (Output Manipulation) |
| Exploit Status | PoC Possible (No Active Exploitation) |
| Affected Component | Composer ConsoleIO |
MITRE ATT&CK Mapping
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as commands when sent to a downstream component.
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.